Cybersecurity researchers have uncovered a cross-platform malware called RemotePE used by the North Korean-linked Lazarus Group in attacks targeting financial institutions and cryptocurrency organizations.
According to Fox-IT, a subsidiary of NCC Group, RemotePE is part of a multi-stage attack chain involving two loaders tracked as DPAPILoader and RemotePELoader.
“DPAPILoader uses the Windows Data Protection API (DPAPI) to decrypt and load RemotePELoader from disk,” said security researchers Yun Zheng Hu and Mick Koomen. “RemotePELoader sends a beacon to the C2 server and waits to receive the next stage, RemotePE, which is a RAT that runs entirely in memory, never writes to disk, and leaves no file system artifacts behind.”
RemotePE first came to the attention of security vendors in September 2025 in connection with attacks targeting anonymous organizations in the decentralized finance (DeFi) space, leading to the introduction of three malware families, including PondRAT, ThemeForestRAT, and RemotePE.
The intrusion began by approaching victims on Telegram posing as existing employees of a trading company, scheduling meetings on fake Calendly and Picktime domains, and then compromising the employees’ devices through social engineering.
The RemotePE infection sequence involves three stages in which the DPAPILoader DLL (‘Iassvc.dll’) uses DPAPI to decrypt and load an encrypted payload from disk. The earliest DPAPILoader artifacts date back to November 2023.
The decrypted payload is another loader, RemotePELoader, designed to connect to a remote server (‘aes-secure’).[.]net”) over HTTP to retrieve the core module and run it in memory. But before doing so, it takes steps to evade detection using techniques such as Hell’s Gate and Event Tracing for Windows (ETW) patches.
The final stage is a full-fledged remote access Trojan called RemotePE written in C++ that polls a command and control (C2) server for further instructions. The malware supports six categories of commands and can:
Get or change the C2 configuration Get or change the current working directory, register new DLL modules, get loaded DLLs, and unload DLLs Perform file operations Get a list of running processes, create a new one, or kill a process by ID Sleep at a given interval or exit RemotePE Ping a server
What’s interesting about the file deletion command is that it overwrites each file with a constant number of bytes seven times before renaming and deleting the file. This pattern is also seen in PondRAT and POOLRAT (also known as SIMPLESEA). PondRAT is considered to be a lightweight version of POOLRAT.
Fox-IT said it had obtained four RemotePE samples indicating that the RAT was in active development from mid-2023 to mid-2024. The first version has a timestamp of July 4, 2023.
The researchers said, “The toolset’s environmental keying, memory-only execution, EDR avoidance, and low forensic footprint suggest that it was purpose-built for long-term observational campaigns.” “This allows the attacker to quietly maintain access for an extended period of time before moving on to a high-impact end goal, such as data theft or large-scale financial heist. This is consistent with this attacker’s known history.”
“The actor-in-the-loop delivery model and low detection rate of the toolset (neither RemotePELoader nor RemotePE appeared on VirusTotal prior to this publication) suggests that this toolset may be reserved for high-value targets for long-term, stealthy access. This is consistent with this Lazarus subgroup being known to focus on financial and cryptocurrency organizations.”
Source link
